jeltz
/
hostap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
17,219 Commits 3 Branches 0 Tags 25 MiB
Commit Graph

2 Commits

Author SHA1 Message Date
Michael Braun 99c1789ab1 PASN: Fix ASAN error in ptksa_cache_add() 
==19798==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000663f8 at pc 0x55a2c485a232 bp 0x7ffeb42dcaf0 sp 0x7ffeb42dcae0
READ of size 8 at 0x6110000663f8 thread T0
Connect STA wlan0 to AP
    #0 0x55a2c485a231 in ptksa_cache_add ../src/common/ptksa_cache.c:310
    #1 0x55a2c4398045 in hostapd_store_ptksa ../src/ap/wpa_auth_glue.c:943
    #2 0x55a2c4430980 in wpa_auth_store_ptksa ../src/ap/wpa_auth.c:232
    #3 0x55a2c44578e1 in sm_WPA_PTK_PTKINITDONE_Enter ../src/ap/wpa_auth.c:3650
    #4 0x55a2c44578e1 in sm_WPA_PTK_Step ../src/ap/wpa_auth.c:3798
    #5 0x55a2c44578e1 in wpa_sm_step ../src/ap/wpa_auth.c:4437
    #6 0x55a2c445d99d in wpa_receive ../src/ap/wpa_auth.c:1411
    #7 0x55a2c43e7747 in ieee802_1x_receive ../src/ap/ieee802_1x.c:1118
    #8 0x55a2c43bbf73 in hostapd_event_eapol_rx ../src/ap/drv_callbacks.c:1542
    #9 0x55a2c43bbf73 in wpa_supplicant_event ../src/ap/drv_callbacks.c:1932
    #10 0x55a2c466cb2d in drv_event_eapol_rx ../src/drivers/driver.h:6074
    #11 0x55a2c466cb2d in nl80211_control_port_frame ../src/drivers/driver_nl80211_event.c:2822
    #12 0x55a2c466cb2d in process_bss_event ../src/drivers/driver_nl80211_event.c:3194
    #13 0x7feed9e90b9b in nl_cb_call ./include/netlink-private/netlink.h:145
    #14 0x7feed9e90b9b in recvmsgs ./lib/nl.c:1006
    #15 0x7feed9e90b9b in nl_recvmsgs_report ./lib/nl.c:1057
    #16 0x7feed9e91058 in nl_recvmsgs ./lib/nl.c:1081
    #17 0x55a2c45f2e8c in wpa_driver_nl80211_event_receive ../src/drivers/driver_nl80211.c:1782
    #18 0x55a2c44b9afa in eloop_sock_table_dispatch ../src/utils/eloop.c:603
    #19 0x55a2c44be122 in eloop_run ../src/utils/eloop.c:1228
    #20 0x55a2c43360bf in hostapd_global_run /home/mbr/hostapd/hostapd/main.c:451
    #21 0x55a2c43360bf in main /home/mbr/hostapd/hostapd/main.c:898
    #22 0x7feed8ce20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #23 0x55a2c432f3fd in _start (/home/mbr/hostapd/hostapd/hostapd+0x9f23fd)

0x6110000663f8 is located 184 bytes inside of 216-byte region [0x611000066340,0x611000066418)
freed by thread T0 here:
    #0 0x7feeda1477cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x55a2c44ce56b in os_free ../src/utils/os_unix.c:773
    #2 0x55a2c451a986 in radius_msg_free ../src/radius/radius.c:137
    #3 0x55a2c4527104 in radius_client_msg_free ../src/radius/radius_client.c:261
    #4 0x55a2c452f53c in radius_client_list_add ../src/radius/radius_client.c:715
    #5 0x55a2c452f53c in radius_client_send ../src/radius/radius_client.c:807
    #6 0x55a2c453b24c in accounting_sta_report ../src/ap/accounting.c:352
    #7 0x55a2c453d6e9 in accounting_sta_stop ../src/ap/accounting.c:384
    #8 0x55a2c44190fd in ap_free_sta ../src/ap/sta_info.c:194
    #9 0x55a2c4934530 in handle_deauth ../src/ap/ieee802_11.c:6035
    #10 0x55a2c4934530 in ieee802_11_mgmt ../src/ap/ieee802_11.c:6399
    #11 0x55a2c43bf114 in hostapd_mgmt_rx ../src/ap/drv_callbacks.c:1468
    #12 0x55a2c43bf114 in wpa_supplicant_event ../src/ap/drv_callbacks.c:1912
    #13 0x55a2c465faf7 in mlme_event_mgmt ../src/drivers/driver_nl80211_event.c:823
    #14 0x55a2c4661774 in mlme_event ../src/drivers/driver_nl80211_event.c:1135
    #15 0x55a2c466c43b in process_bss_event ../src/drivers/driver_nl80211_event.c:3177
    #16 0x7feed9e90b9b in nl_cb_call ./include/netlink-private/netlink.h:145
    #17 0x7feed9e90b9b in recvmsgs ./lib/nl.c:1006
    #18 0x7feed9e90b9b in nl_recvmsgs_report ./lib/nl.c:1057

previously allocated by thread T0 here:
    #0 0x7feeda147bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55a2c44cd387 in os_malloc ../src/utils/os_unix.c:715
    #2 0x55a2c44ceb7f in os_zalloc ../src/utils/os_unix.c:779
    #3 0x55a2c451a9f2 in radius_msg_new ../src/radius/radius.c:109
    #4 0x55a2c4539a6e in accounting_msg ../src/ap/accounting.c:46
    #5 0x55a2c453be15 in accounting_report_state ../src/ap/accounting.c:439
    #6 0x55a2c453d91d in accounting_init ../src/ap/accounting.c:534
    #7 0x55a2c4378952 in hostapd_setup_bss ../src/ap/hostapd.c:1333
    #8 0x55a2c4382530 in hostapd_setup_interface_complete_sync ../src/ap/hostapd.c:2094
    #9 0x55a2c4382815 in hostapd_setup_interface_complete ../src/ap/hostapd.c:2229
    #10 0x55a2c4384100 in setup_interface2 ../src/ap/hostapd.c:1726
    #11 0x55a2c4386b58 in setup_interface ../src/ap/hostapd.c:1628
    #12 0x55a2c4386b58 in hostapd_setup_interface ../src/ap/hostapd.c:2318
    #13 0x55a2c4387a57 in hostapd_enable_iface ../src/ap/hostapd.c:2730
    #14 0x55a2c455d723 in hostapd_ctrl_iface_enable /home/mbr/hostapd/hostapd/ctrl_iface.c:1606
    #15 0x55a2c455d723 in hostapd_ctrl_iface_receive_process /home/mbr/hostapd/hostapd/ctrl_iface.c:3607
    #16 0x55a2c456821e in hostapd_ctrl_iface_receive /home/mbr/hostapd/hostapd/ctrl_iface.c:4018
    #17 0x55a2c44b9afa in eloop_sock_table_dispatch ../src/utils/eloop.c:603
    #18 0x55a2c44be122 in eloop_run ../src/utils/eloop.c:1228
    #19 0x55a2c43360bf in hostapd_global_run /home/mbr/hostapd/hostapd/main.c:451
    #20 0x55a2c43360bf in main /home/mbr/hostapd/hostapd/main.c:898
    #21 0x7feed8ce20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/common/ptksa_cache.c:310 in ptksa_cache_add
Shadow bytes around the buggy address:
  0x0c2280004c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280004c30: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280004c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280004c50: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2280004c60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280004c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c2280004c80: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280004c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280004ca0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2280004cb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280004cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19798==ABORTING

Fixes: a4e3691616 ("WPA: Add PTKSA cache implementation")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
 2021-08-19 16:51:20 +03:00
Ilan Peer a4e3691616 WPA: Add PTKSA cache implementation 
In order to be able to perform secure LTF measurements, both the
initiator and the responder need to first derive TK and KDK and store
them, so they would later be available for the secure LTF negotiation.

Add a basic implementation of a PTKSA cache that stores derived TK/KDK
which can later be used for secure LTF negotiation, and add it to the
build configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
 2021-01-25 18:36:40 +02:00